sshguard-users

[SSHGuard-users] sshguard-1.7.0 and Postfix

[Gerard S. <car...@ou...>]

I have had sshguard working perfectly on my FreeBSD-11.0 system for
several months now. suddenly, I am finding the following entires in my
mail-log:

38167:Sep 30 04:52:54 scorpio postfix/smtpd[85858]: warning: hostname ip-address-pool-xxx.fpt.vn does not resolve to address 118.71.251.67:hostname nor servname provided, or not known
38346:Sep 30 04:52:54 scorpio postfix/smtpd[85858]: connect from unknown[118.71.251.67]
38428:Sep 30 04:52:55 scorpio postfix/smtpd[85858]: disconnect from unknown[118.71.251.67] helo=1 auth=0/1 quit=1 commands=2/3

While the IP address will change, the action is never blocked by
sshguard. Shouldn't sshguard recognize this as an attack and block it?

-- 
Carmel

Re: [SSHGuard-users] sshguard-1.7.0 and Postfix

[Jim S. <jse...@Li...>]

On Fri, 30 Sep 2016 10:13:44 +0000
Gerard Seibert <car...@ou...> wrote:

[snip]
> 
> While the IP address will change, the action is never blocked by
> sshguard. Shouldn't sshguard recognize this as an attack and block it?

I should certainly hope not.  If one took to blackholing every system on
the 'net that had wonky DNS, they'd have a significant portion blocked a
significant amount of the time.

It may be in conjunction with an attack, but, those log entries, in and
of themselves, do not suggest an attack.

If you do not wish to accept email from such sources (I would not, but
that's a personal/corporate/site preferance), you can use one of the
appropriate Postfix config directives.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

Re: [SSHGuard-users] sshguard-1.7.0 and Postfix

[Gerard S. <car...@ou...>]

On Fri, 30 Sep 2016 06:40:20 -0400, Jim Seymour stated:

>On Fri, 30 Sep 2016 10:13:44 +0000
>Gerard Seibert <car...@ou...> wrote:
>
>[snip]
>> 
>> While the IP address will change, the action is never blocked by
>> sshguard. Shouldn't sshguard recognize this as an attack and block
>> it?  
>
>I should certainly hope not.  If one took to blackholing every system
>on the 'net that had wonky DNS, they'd have a significant portion
>blocked a significant amount of the time.
>
>It may be in conjunction with an attack, but, those log entries, in and
>of themselves, do not suggest an attack.
>
>If you do not wish to accept email from such sources (I would not, but
>that's a personal/corporate/site preferance), you can use one of the
>appropriate Postfix config directives.

You are certainly entitled to your opinion; however, I feel that the
number of legitimate sites failing reverse dns is trivial. You will
notice the "whois" output below. I know no one in Vietnam and feel quite
confident in stating that this was an example of an attempt to hack into
my mail system. As I stated, I have found several hacks like this
before, with different IPs of course. I was advised to use the
following in my postfix config file:
"reject_unknown_reverse_client_hostname". I will be checking the log
file judiciously to see if in fact any legitimate sites are being
blocked.

Thanks for your response.

~ $ whois 118.71.251.67
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.apnic.net

inetnum:      118.0.0.0 - 118.255.255.255
organisation: APNIC
status:       ALLOCATED

whois:        whois.apnic.net

changed:      2007-01
source:       IANA

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '118.71.240.0 - 118.71.255.255'

inetnum:        118.71.240.0 - 118.71.255.255
netname:        fpt-net
descr:          Vung dia chi IP cap cho dich vu IPTV tai Hai Phong
country:        vn
admin-c:        fhig1-ap
tech-c:         fhig1-ap
status:         ASSIGNED NON-PORTABLE
mnt-by:         maint-vn-fpt
changed:        hm-...@vn... 20080923
source:         APNIC

role:           FPT HANOI IPADMIN GROUP
address:        48 Van Bao, Ba Dinh
address:        Ha Noi
country:        VN
phone:          +84-4-7601060
fax-no:         +84-4-7262163
e-mail:         fte...@fp...
remarks:        send spam reports to fte...@fp...
admin-c:        TPV1-AP
tech-c:         NTT9-AP
nic-hdl:        FHIG1-AP
notify:         hm-...@vn...
mnt-by:         MAINT-VN-FPT
changed:        hm-...@vn... 20090325
changed:        hm-...@ap... 20111114
changed:        hm-...@vn... 20141113
source:         APNIC

% This query was served by the APNIC Whois Service version
1.69.1-APNICv1r0 (UNDEFINED)

-- 
Carmel

Re: [SSHGuard-users] sshguard-1.7.0 and Postfix

[Jim S. <jse...@Li...>]

On Fri, 30 Sep 2016 11:38:58 +0000
Gerard Seibert <car...@ou...> wrote:

[snip]
> 
> You are certainly entitled to your opinion; however, I feel that the
> number of legitimate sites failing reverse dns is trivial.

Hardly.  IME the number of people administering networks that are
actually competent at it and conscientious about their job are
outnumbered by the number that are not either one, the other or both.

From my personal server at home, from yesterday, alone, there were 254
SMTP connections where the hostname did not resolve to the correct, or
any, IP address.  79 of those were unique hostnames, from at least
twenty TLDs from all over the world.

> You will
> notice the "whois" output below. I know no one in Vietnam 

There's no way for sshguard to "know" that :)

> and feel
> quite confident in stating that this was an example of an attempt to
> hack into my mail system.

Via Postfix' SMTPD daemon?  *snort*  Won't bloody likely encounter much
success with that.

In any event: There's nothing in the signature of those log lines to
suggest sshguard, or any other IDS, should take action.  As I wrote,
earlier: Those log lines, in and of themselves, are merely reflective
of poorly set up DNS.  That doesn't mean somebody's not trying to find
a vulnerability in your server, merely that *those* log lines don't
make the case that they are.

In the network admin/security world we tend to abide by Hanlon's Razor:

    "Never attribute to malice that which is adequately explained by
     stupidity."

(Sometimes substituting "incompetence" for "stupidity.")

[snip]
> I was advised to use
> the following in my postfix config file:
> "reject_unknown_reverse_client_hostname".

That is the weaker, and, therefor, less-likely-damaging of the two
restrictions you might have added.  I'll leave it at that, being as
Postfix configuration is OT for this mailing list.

[snip]
> 
> Thanks for your response.

You're welcome,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.